DoS Amplification Attacks – Protocol-Agnostic Detection of Service Abuse in Amplifier Networks
For many years Distributed Denial-of-Service attacks have been known to be a threat to Internet services. Recently a configuration flaw in NTP daemons led to attacks with traffic rates of several hundred Gbit/s. For those attacks a third party, the amplifier, is used to significantly increase the volume of traffic reflected to the victim. Recent research revealed more UDP-based protocols that are vulnerable to amplification attacks. Detecting such attacks from an abused amplifier network’s point of view has only rarely been investigated.
In this work we identify novel properties which characterize amplification attacks and allow to identify the illegitimate use of arbitrary services.
Their suitability for amplification attack detection is evaluated in large high-speed research networks. We prove that our approach is fully capable of detecting attacks that were already seen in the wild as well as capable of detecting attacks we conducted ourselves exploiting newly discovered vulnerabilities.
KeywordsPacket Size Similarity Factor Request Message Attack Detection Incoming Request
- 1.CloudFlare. https://www.cloudflare.com/ (last accessed: December 2014)
- 2.Özavci, F.: VOIP Wars: Return of the SIP, DEFCON 21, August 2013. http://www.defcon.org/images/defcon-21/dc-21-presentations/Ozavci/DEFCON-21-Ozavci-VoIP-Wars-Return-of-the-SIP-Updated.pdf (last accessed: December 2014)
- 3.Ferguson, P., Senie, D.: Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing. RFC 2827 (Best Current Practice), May 2000. http://www.ietf.org/rfc/rfc2827.txt, updated by RFC 3704
- 4.Kambourakis, G., Moschos, T., Geneiatakis, D., Gritzalis, S.: Detecting DNS amplification attacks. In: Lopez, J., Hämmerli, B.M. (eds.) CRITIS 2007. LNCS, vol. 5141, pp. 185–196. Springer, Heidelberg (2008) Google Scholar
- 5.nDPI-Homepage. http://www.ntop.org/products/ndpi/ (last accessed: December 2014)
- 6.Direct NIC Access - Gigabit and 10 Gigabit Ethernet Line-Rate Packet Capture and Injection. http://www.ntop.org/products/pf_ring/dna/ (last accessed: December 2014)
- 7.Postel, J.: Quote of the Day Protocol. RFC 865 (INTERNET STANDARD), May 1983. http://www.ietf.org/rfc/rfc865.txt
- 8.Prince, M.: The DDoS That Almost Broke the Internet, March 2013. http://blog.cloudflare.com/the-ddos-that-almost-broke-the-internet (last accessed: December 2014)
- 9.Rastegari, S., Saripan, M.I., Rasid, M.F.A.: Detection of Denial of Service Attacks against Domain Name System Using Neural Networks. International Journal of Computer Science Issues (IJCSI) 7(4) (2009)Google Scholar
- 10.Rossow, C.: Amplification hell: Revisiting network protocols for DDoS abuse. In: Proceedings of the 2014 Network and Distributed System Security (NDSS) Symposium, San Diego, CA, February 2014Google Scholar
- 11.Soluk, K.: NTP ATTACKS: Welcome to The Hockey Stick Era, February 2014. http://www.arbornetworks.com/asert/2014/02/ntp-attacks-welcome-to-the-hockey-stick-era/ (last accessed: December 2014)
- 12.Specht, S., Lee, R.: Distributed denial of service: Taxonomies of attacks, tool and countermeasures. In: Proceedings of the ISCA 17th International Conference on Parallel and Distributed Computing Systems, San Francisco, CA, September 2002Google Scholar
- 13.Spoofer Project: State of IP Spoofing. http://spoofer.cmand.org/summary.php (last accessed: December 2014)
- 14.Sun, C., Liu, B., Shi, L.: Efficient and low-cost hardware defense against DNS amplification attacks. In: IEEE Global Telecommunications Conference (GLOBECOM 2008). IEEE (2008)Google Scholar
- 15.Vuze homepage. http://www.vuze.com/ (last accessed: December 2014)
- 16.zlib Homepage. http://www.zlib.net/ (last accessed: December 2014)